CVE-2026-31899

Published: Mar 13, 2026Modified: Mar 18, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

Affected (1)

Products: Courtbouillon: Cairosvg

Courtbouillon

1 product

Cairosvg

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Courtbouillon Cairosvg	Before 2.9.0

Related CWEs

CWE-674

Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

References (2)

https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf

Source: security-advisories@github.com

Patch

https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

Timeline

No history available yet.